State privacy laws may undercut electronic medical records

A study looks at correlations between stated medical privacy laws and the …

The US government has now adopted a policy of fostering the adoption of electronic medical records (EMR). The policy is intended to increase the efficiency of the US healthcare system, thereby lowering costs and reducing the incidence of preventable errors. At the same time, through its The Health Insurance Portability and Accountability Act (HIPAA) privacy rules, the government has set minimum standards for the security of those records. These two goals—privacy and security of these records, along with their free interchange among medical providers—can easily wind up at odds with each other. A recent study that looked at the role of state privacy laws in EMR adoption suggests that the problem is very real, as state privacy laws seem to inhibit the use of EMR by hospitals located there.

The authors, based at MIT and the University of Virginia, line up a variety of data that validate their suggestion that privacy and the use of EMR may require a careful balance. So, for example, they cite some highly publicized lapses when it comes to the maintenance of patient privacy: someone once offered the records of 200,000 patients for sale on Craigslist, while hospitals have seen their own employees attempt to get at the electronic files of famous patients.

The adoption of EMR by one hospital within a state seems to increase its use by others in the area by about six percent; state privacy laws eliminate this effect.

Perhaps more significantly, the authors suggest that the public, as represented by their legislators, has concerns about the privacy of EMR. They found that states that have passed their own privacy laws to supplement the HIPAA rules tend to have a higher percentage of their populace signed up for the Do Not Call Registry, indicating a corresponding individual-level interest in maintaining privacy. So, they looked at whether these laws had any impact on the adoption of EMR by hospitals located in each state.

The authors have a pretty good data set when it comes to the use of EMR by hospitals. The Healthcare Information and Management Systems Society has tracked the adoption of electronic records over a number of years, and its database covers 90 percent of the private hospitals (both private and nonprofit) and about half of the government-run ones. Out of the over 4,000 hospitals in that database, about 1,400 reported the precise timing of when they adopted an EMR system.

Unfortunately, the data isn't nearly as good when it comes to state laws. In what might be the biggest weakness of the study (one the authors themselves acknowledge), for the purposes of analysis, the presence of state privacy laws is treated as a yes/no question—a state either has it, or it doesn't. The authors make no attempt to evaluate the degree to which the laws might restrict information sharing among hospitals. The only way this is controlled for is by performing separate analyses before and after the release of the HIPAA rules (any law passed afterwards is more likely to be restrictive), and they find that this makes no difference to their results.

That said, the authors find a fairly robust effect of privacy laws. The presence of these laws appears to be inhibiting the adoption of EMR—the authors estimate the impact as reducing the rate of adoption by as much as a quarter. They also seem to limit the network effect that should be promoted by the use of EMR. For starters, the adoption of EMR by one hospital within a state seems to increase its use by others in the area by about six percent; state privacy laws eliminate this effect. Another issue arises from the choice of software, as hospitals in states without privacy laws are more likely to adopt software that doesn't allow the free exchange of records. That later statistic goes a long way towards explaining why, although half of the hospitals had adopted some form of EMR, less than 40 percent had actually exchanged records with another institution.

The authors come across a few other factors that seem to influence the adoption of EMR. It tends to be more common in large, older hospitals, which the authors ascribe to the high up-front costs for rolling out the system and converting existing records. Big, multi-region chain hospitals, which would seem to be a natural fit for EMR, actually lag the national average. When they asked several medical experts about this, they found that it's because these groups are trapped in old, DOS-based systems that are difficult to upgrade.

Overall, the authors' findings are based on correlations, and they recognize that there may be factors that are unaccounted for that influence these outcomes. Still, on a general level, even identifying patterns of slow EMR adoption will be important if the government is to reach its goal of widespread EMR adoption within a decade.

If their proposed link between EMR and privacy concerns turns out to be robust, however, it would suggest that the public still has significant concerns about maintaining the privacy and security of these records, and that those worries are translating into resistance. If that's the case, then the government needs to do a better job not just of encouraging the adoption of this technology, but of explaining to its citizens why doing so will be in their long-term interest.